All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Ah , yep that works perfectly! thank you!
crcSalt is actually very rarely the proper option to set. It's often better to raise the initCrcLength to a higher value in case the file has a pretty constant header.
A "?" operator in regex can be applied to a whole group. So this regex: (?<prefix>\w+)(\s(?<middle>\w+))?\s(?<postfix>\w+) Should match and parse two worded strings to prefix-postfix pair but if yo... See more...
A "?" operator in regex can be applied to a whole group. So this regex: (?<prefix>\w+)(\s(?<middle>\w+))?\s(?<postfix>\w+) Should match and parse two worded strings to prefix-postfix pair but if you happen to have the optional middle word, it will be parsed out as a "middle" field. As always - use https://regex101.com/ and test your regexes. (it also provides a good explanation of what each regex component does).
Hi all, looking for help with how I can extract all available fields in a set of logs where a particular field sometimes does not exist. In Log A, the 'inline result' field exists, but in Log B it ... See more...
Hi all, looking for help with how I can extract all available fields in a set of logs where a particular field sometimes does not exist. In Log A, the 'inline result' field exists, but in Log B it does not and hence my current regex then fails for that log entry. I know I could probably use an Splunk app to auto manage this but I want to understand how I could do this myself. Any suggestions please? Log A %FTD-1-4xxxxx: DeviceUUID: X, InstanceID: 13, FirstPacketSecond: 2023-11-23, ConnectionID: y, SrcIP: 10.10.10.10, DstIP: 11.11.11.11, SrcPort: 666, DstPort: 999, Protocol: tcp, IngressInterface: z, EgressInterface: inta, IngressZone: intb, EgressZone: intc, Priority: 1, GID: 1, SID: 58724, Revision: 6, Message: SERVER-OTHER Apache Log4j logging remote code execution attempt, Classification: Attempted User Privilege Gain, Client: Web browser, ApplicationProtocol: HTTP, IntrusionPolicy: IntPolicy-000001, ACPolicy: ACpolicy_00001, AccessControlRuleName: ACrule-000001, NAPPolicy: Balanced Security and Connectivity, InlineResult: Would have blocked, IngressVRF: Global, EgressVRF: Global Log B %FTD-1-yyyyyy: DeviceUUID: Y, InstanceID: 15, FirstPacketSecond: 2023-11-23, ConnectionID: Z, SrcIP: 12.12.12.12, DstIP: 13.13.13.13, SrcPort: 111, DstPort: 222, Protocol: tcp, IngressInterface: Port-channel6, EgressInterface: INT1, IngressZone: INT2, EgressZone:INT3, Priority: 2, GID: 133, SID: 59, Revision: 1, Message: DCE2_EVENT__SMB_BAD_NEXT_COMMAND_OFFSET, Classification: Potentially Bad Traffic, WebApplication: SMBv3-unencrypted, Client: NetBIOS-ssn (SMB) client, ApplicationProtocol: NetBIOS-ssn (SMB), IntrusionPolicy: INTIDS, ACPolicy: ACBpolicy, AccessControlRuleName: ACBrule, NAPPolicy: Balanced Security and Connectivity, IngressVRF: Global, EgressVRF: Global
Hello, thanks for reply.  crcSalt = <SOURCE> I´ve been adding crcSalt into my stanza but still the not all the files have been synced either. 
Use Classic Dashboards - you have more flexibility with CSS
| eval curActStart=strftime(strptime(curActStart,"%F %T.%S")+(60*60*5)+(60*30),"%F %T.%S")
Hello, by default the fonts in a line chart are white. How can I change these colors to black?
Don't want to sound too harsh, but please try to read the installation guide and understand what you're doing. From the screenshot history it shows clearly that you're copy-pasting blindly quasi-ran... See more...
Don't want to sound too harsh, but please try to read the installation guide and understand what you're doing. From the screenshot history it shows clearly that you're copy-pasting blindly quasi-random commands in hope of them working. It won't work that way. The only thing you can achieve is breaking your system completely.
Hi Everyone, I would like to ask you about configuration ITSI. I want to configure ITSI, as I show you below example. I have 3 services (service1, service2 and service3). If some KPI in the servic... See more...
Hi Everyone, I would like to ask you about configuration ITSI. I want to configure ITSI, as I show you below example. I have 3 services (service1, service2 and service3). If some KPI in the service3 is critical I want to see service 2 and 1 on critical. After 5 minutes I don't see crritical in service3 and I want to immediately change in the tree to normally state (green). Can I configure ITSI as I show you above?
The short technical answer is that index access is granted on a per-role basis. So unless you have your roles configured so that a user is given a specific role depending on whether he's supposed to ... See more...
The short technical answer is that index access is granted on a per-role basis. So unless you have your roles configured so that a user is given a specific role depending on whether he's supposed to see that index or not, you can't do anything about it. It's simply how Splunk works. But Splunk can perfectly well work with users having multiple roles assigned. Multiple LDAP strategies and multiple roles are two different things. So if you need to manage two separate LDAP strategies - tough luck. If you have two separate authentication/authorization sources, you have to work it. But if you just want to separate roles, just include your users (or not) into two groups mapped to different roles and you're done.
What have you tried so far and what do you mean by "didn't work"?
Hi @Anton , at first never use inherited roles because you have the same grants of the original role and you loose control on grants! Then you have to create two indexes: one containing only even... See more...
Hi @Anton , at first never use inherited roles because you have the same grants of the original role and you loose control on grants! Then you have to create two indexes: one containing only events with sensitive data, accessible only from a dedicated role not from the others, a second one containing all the other events accessible both from the below dedicated role and the other enabled roles. in this way the special role can access all the events in both the indexes (sensitive and not sensitive), instead the others enabled roles can access only the public events index and not the sensitive events index. Ciao. Giuseppe
If you want a 100% confirmation, you should simply read the terms of service but my understanding is that there is no additional cost for archiving/restoring but there are limits to the amount of dat... See more...
If you want a 100% confirmation, you should simply read the terms of service but my understanding is that there is no additional cost for archiving/restoring but there are limits to the amount of data you can restore at any given point in time. I'm not sure - and that is something you'd need to ask your Splunk representative - if there is any possibility (and if so, how costly) to restore the archived data should you need more than the mentioned 10% at one time. To be honest, I don't understand what kind of transfer fee you'd want to pay if it's all managed by Splunk and the traffic is "internal" to the Splunk Cloud infrastructure (even if it's spread across different cloud provider's environments - it's transparent to you completely). So maybe we're mixing two different things here. If your customer gets DDAA - customer pays for the archive solution and it's managed wholly by Splunk and is restorable by submitting a request through Cloud interface. If your customer gets DDSS - customer needs to provide own storage for which the customer must pay separately (storage and transfer fees if applicable) and in case of a need to restore - the data must be retrieved to a local on-site installation of Splunk Enterprise - it's not restorable to the Cloud instance.
To add to @ITWhisperer 's answer - Splunk processes timestamp as "unix timestamps" - integers containing number of seconds since epoch. As such, timestamp is "timezoneless", it's just rendered when n... See more...
To add to @ITWhisperer 's answer - Splunk processes timestamp as "unix timestamps" - integers containing number of seconds since epoch. As such, timestamp is "timezoneless", it's just rendered when needed into a string, possibly containing a timezone description. But timestamp is always (when rendered automatically by WebUI or explicitly when strftime is called) rendered in user's timezone (the one set in user's preferences). So while with strptime you can read and apply the timezone offset from the string representation of a given point in time, strftime doesn't let you specify the timezone freely. The only thing you can do is "cheat" a bit by manually adjusting the timezone with the offset to another timezone and render it in your local timezone but without displaying said timezone.
Hi, Firstly, thanks for the fast reply however there are cases where the users are required to access both sensitive and non-sensitive indexes at the same time using the same user.  Another concern... See more...
Hi, Firstly, thanks for the fast reply however there are cases where the users are required to access both sensitive and non-sensitive indexes at the same time using the same user.  Another concern is on the scaling factor.     Below is my scenario 
  Hello,  when I run the below SPL , it gave me all the region that a user have accessed from. if I want to exclude a region or country from the list, please where do I add the SPL query and what i... See more...
  Hello,  when I run the below SPL , it gave me all the region that a user have accessed from. if I want to exclude a region or country from the list, please where do I add the SPL query and what is the SPL. I have used several exclusion query but it didn't work. please help      | tstats count(Authentication.user) FROM datamodel=Authentication WHERE (index=* OR index=*) BY Authentication.action Authentication.src | rename Authentication.* AS * | iplocation src | where len(Country)>0 AND len(City)>0
Also, how we could capture the terminated users who are accessing their accounts on daily basis.  We created the information point using the method name and class but termination date is not getting ... See more...
Also, how we could capture the terminated users who are accessing their accounts on daily basis.  We created the information point using the method name and class but termination date is not getting in response. Do we have any other options to capture this terminated users and age >59+ users accessing their accounts on daily basis?
Yes, but not to the core level. Any input on how to capture the age >59+ users accessing their accounts on daily basis?
Hi @Viveklearner , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated